b'OFFICE OF INSPECTOR GENERAL\n\n            Audit Report\n\n Audit of the Railroad Retirement Board\xe2\x80\x99s\n   Medicare Major Application System\n\n            Report No. 09-06\n           September 30, 2009\n\n\n\n\nRAILROAD RETIREMENT BOARD\n\x0c                                       TABLE OF CONTENTS\n\n\nIntroduction\n Background ................................................................................................................. 1\n Objective...................................................................................................................... 2\n Scope .......................................................................................................................... 2\n Methodology ................................................................................................................ 2\n\nResults of Review\n Dataset Rules Do Not Enforce Least Privilege ............................................................ 4\n Access Controls that Enforce Least Privilege Need Improvement............................... 6\n Accountability over ACF2 Audit Logs Needs Improvement ......................................... 7\n Audit Log Content Needs Expansion ........................................................................... 9\n Audit Log of Security Violations is Misleading ........................................................... 10\n\nAppendices\n Appendix I Bureau of Information Services Management\xe2\x80\x99s Response ..................... 11\n Appendix II Office of Programs Management\xe2\x80\x99s Response ....................................... 13\n\n\n\n\n                                                               i\n\x0c                                     INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) audit of the\nRailroad Retirement Board\xe2\x80\x99s (RRB) Medicare major application system.\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct and the Railroad Unemployment Insurance Act. These programs provide income\nprotection during old age and in the event of disability, death, temporary unemployment\nor sickness. The RRB paid over $10.1 billion in benefits during fiscal year (FY) 2008.\n\nThe Medicare program is a Federal health insurance program for people age 65 or older\nand certain disabled people. The program is run by the Centers for Medicare and\nMedicaid Services and the U.S. Department of Health and Human Services. Persons\ncovered under the Railroad Retirement system participate in Medicare on the same\nbasis as those under the Social Security system. The RRB enrolls railroad retirement\nbeneficiaries in the program and deducts Medicare premiums from their monthly benefit\npayments.\n\nThe RRB\xe2\x80\x99s Medicare major application system includes the Medicare Information\nRecorded, Transmitted, Edited and Logged (MIRTEL) system. MIRTEL is a batch file\nsystem that is run daily. It establishes and maintains records for the RRB\xe2\x80\x99s Medicare\nbeneficiaries. The Medicare major application system also includes the:\n\n\xe2\x80\xa2   MIRTEL On-Line Inquiry (MOLI) database that allows view-only access to select\n    data for Medicare records in MIRTEL;\n\xe2\x80\xa2   Medicare Correction (MEDCOR) database system which allows on-line data input\n    used in updating MIRTEL;\n\xe2\x80\xa2   Medicare Referral (MEDREF) database system which allows on-line viewing of\n    MIRTEL rejects and referrals, which can be corrected using MEDCOR; and\n\xe2\x80\xa2   Monthly Adjustment of MIRTEL Master (MAMMA) which adjusts MIRTEL for\n    changes in the RRB\xe2\x80\x99s beneficiary payment master file used to produce monthly\n    benefit checks. Like MIRTEL, MAMMA is also a batch file system.\n\nThe Office of Programs is the owner-of-record for the RRB\xe2\x80\x99s Medicare and benefit\npayment applications. They also have responsibilities for all of the RRB\xe2\x80\x99s Medicare\nactivities. These activities include eligibility determinations, enrollment processing, the\ncollection of premiums, the recovery of overpayments, and the payment of Canadian\nclaims.\n\nThe Bureau of Information Services (BIS) has responsibility for the security of all\nMedicare applications and data files. BIS maintains the security for these applications\nand data files using ACF2, a commercial access control software product. Using ACF2,\naccess to MEDCOR and MEDREF is provided through one or more access privileges\n\n\n                                             1\n\x0cfor the combined systems. The first level of access acts as a gateway to the two\ndatabase systems and allows view-only privileges. Any additional levels of access\nprovide transaction-level privileges such as create, update, or delete.\n\nThis audit was conducted pursuant to the Federal Information Security Management Act\nof 2002 (FISMA) which requires annual OIG security evaluations. 1 This audit also\nsupports the RRB\xe2\x80\x99s strategic goal of serving as responsible stewards of the agency\xe2\x80\x99s\ntrust funds and financial resources, and its objective to ensure the effectiveness,\nefficiency, and security of operations.\n\nObjective\n\nThe objective of this review was to perform a system-level assessment of the Medicare\nmajor application to determine if security controls were in place, operated as intended,\nand met the requirements established by FISMA. The security controls reviewed in\ndetail include access controls, audit and accountability, identification and authentication,\nand system and information integrity.\n\nScope\n\nThe scope of this evaluation was FY 2009 and included the Medicare major application\nand the general support system environment in which it operates.\n\nMethodology\n\nTo accomplish our objective, we:\n\n\xe2\x80\xa2   reviewed pertinent laws and guidance;\n\xe2\x80\xa2   obtained and reviewed listings of all user accounts associated with the Medicare\n    major application as of January 14, 2009 and February 5, 2009, and verified that\n    each user was a current employee or an authorized non-RRB employee user, and\n    was uniquely identified;\n\xe2\x80\xa2   obtained and reviewed documentation as of February 5, 2009, to support the\n    individual access profiles of all users that had access to the MOLI, MEDCOR, and\n    MEDREF databases to determine if their access was appropriate to job function;\n\xe2\x80\xa2   obtained and reviewed documentation from December 2, 2008 through January 9,\n    2009, to support access to all Medicare major application dataset files, including\n    those associated with database and batch processes, to determine whether the\n    access granted was appropriate to job function;\n\n\n\n\n1\n Federal Information Security Management Act of 2002, Title III of the E-Government Act of 2002,\nP.L. 107-347 (December 2002).\n\n\n                                                   2\n\x0c\xe2\x80\xa2   obtained and reviewed documentation to support the periodic reauthorization of user\n    access privileges to the MOLI, MEDCOR, and MEDREF databases performed in\n    August 2008, to evaluate the effectiveness of the reauthorization process;\n\xe2\x80\xa2   verified the filing and retention of information system media, both digital and\n    non-digital, to determine whether access was appropriately restricted;\n\xe2\x80\xa2   obtained and reviewed documentation to support the audit of, and accountability\n    over, Medicare output/production reports, audit logs, and information system\n    violation reports;\n\xe2\x80\xa2   obtained and reviewed documentation to support the existence and operation of\n    system and information integrity controls which include information input restrictions;\n    accuracy, completeness, and validity; error handling; and information output\n    handling and retention; and\n\xe2\x80\xa2   interviewed responsible agency management and staff.\n\nThe primary criteria for this evaluation included:\n\n\xe2\x80\xa2   FISMA;\n\xe2\x80\xa2   National Institute of Standards and Technology (NIST) Special Publication (SP)\n    800-53; 2\n\xe2\x80\xa2   Government Accountability Office (GAO) Standards for Internal Control in the\n    Federal Government; 3\n\xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-130; 4 and\n\xe2\x80\xa2   RRB policies and procedures.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives. Fieldwork was conducted at RRB headquarters in Chicago, Illinois\nfrom November 2008 through July 2009.\n\n\n\n\n2\n  Recommended Security Controls for Federal Information Systems, NIST SP 800-53 (December 2007).\n3\n  Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (November 1999).\n4\n  Management of Federal Information Resources, OMB Circular A-130 (November 2000).\n\n\n                                                3\n\x0c                                     RESULTS OF REVIEW\n\nOur review of the Medicare major application determined that the identification and\nauthentication, and system and information integrity controls were in place, operated as\nintended, and met the requirements established by FISMA. However, we found that the\nsecurity controls over access, and controls over audit and accountability, need\nimprovement.\n\nThe details of our findings and recommendations for corrective action follow. Agency\nmanagement has agreed to take the recommended corrective actions except for\nrecommendations one and two. The full texts of management\'s responses are included\nin this report as Appendices I and II.\n\nDataset Rules Do Not Enforce Least Privilege\n\nRules that govern dataset file access do not enforce least privilege.\n\nOMB Circular A-130 requires agencies to incorporate controls such as least privilege\ninto applications and application rules. Appendix III Security of Federal Automated\nInformation Resources defines least privilege as "the practice of restricting a user\xe2\x80\x99s\naccess (to data files, to processing capability, or to peripherals) or type of access (read,\nwrite, execute, delete) to the minimum necessary to perform his or her job."\n\nOur review of approximately 386 dataset rules that provide users\xe2\x80\x99 access to Medicare\ndata files showed that the RRB has written many dataset rules using a "wildcard"\ndesignator recognized by ACF2. Wildcard designators allow the substitution of any\ncharacter in place of the wildcard. As a result, a wildcard designator will allow a user\naccess to any dataset which matches the preliminary dataset name. For example,\n"P.BRC.-" (where "-" is the wildcard designator) allows access to any dataset that\nbegins with "P.BRC.". We observed that the RRB has over 10,250 datasets that begin\nwith "P.BRC.", the majority of which are for non-Medicare applications and include\npersonally identifiable information such as names and social security numbers. 5\n\nWe also identified six users with excessive rights to Medicare dataset files; the access\nprivileges provided were more than the users required for the current job function. Four\nof the six individuals had full access (read, write, execute, and allocate) to the dataset\nfiles involved. These datasets (not "P.BRC.") were also assigned using a wildcard\ndesignator. The other two individuals did not require any access at all, and had the\nability to read and execute all "P.BRC." dataset files.\n\nWe found that the RRB has not established standards to address how wildcard\ndesignators will be used when providing dataset access. Although the use of a wildcard\ndesignator can be an efficient method of providing access as each individual dataset\n\n5\n There are 79 users with "P.BRC.-" access, and approximately 175 Medicare dataset files that begin with\n"P.BRC.". Dataset files are used in both database systems and batch file systems.\n\n\n                                                  4\n\x0cdoes not need to be enumerated for every user, overly broad wildcard usage can allow\nfar greater access privileges than intended.\n\nExcessive rights and privileges to data and sensitive system programs weaken the\noverall information security program, and prevent management from ensuring that their\ninformation systems are protected from intentional or unintentional modification, or\ninappropriate viewing of privacy-related information.\n\nRecommendations\n\nWe recommend that the Bureau of Information Services:\n\n   1. establish a standard for the use of wildcard designators when preparing dataset\n      access rules; and\n\n   2. evaluate current dataset access rules and enforce the principle of least privilege\n      by restricting overly broad wildcard access use.\n\nManagement\'s Response\n\nThe Bureau of Information Services disagrees with the recommendations because\nwildcard designators are used whenever they facilitate the administration of resources\nand dataset access is allocated upon request as authorized and instructed by system\nowners.\n\nOIG\'s Comments on Management\'s Response\n\nWith respect to the use of wildcard designators, we acknowledge their efficiency in\nfacilitating the administration of resources and the difficulties that would arise if their use\nwere fully restricted. However, because large volumes of sensitive data for many\nbeneficiaries is easily accessible via dataset accesses, we strongly believe that wildcard\ndesignators should be used judiciously and in a manner that does not unreasonably\nincrease the RRB\'s risk for a breach of personally identifiable information. Therefore,\nwe seek improvement in the RRB\'s access control strategy by recommending that BIS,\nas the experts in access control, examine ways to reduce system owner\'s reliance on\noverly broad wildcard use. This includes establishing a standard for wildcard usage,\nand reviewing the current accesses provided via wildcard use and enforcing the\nprinciple of least privilege by restricting overly broad wildcard access use.\n\n\n\n\n                                              5\n\x0cAccess Controls that Enforce Least Privilege Need Improvement\n\nMainframe access controls, including the reauthorization process, are ineffective in\nensuring least privilege for Medicare systems.\n\nOMB Circular A-130 requires agencies to incorporate controls such as least privilege\ninto applications. The RRB has implemented an annual reauthorization review of\nmainframe systems accesses to enforce least privilege.\n\nOur review of user access privileges for Medicare database systems disclosed users\nwho have inappropriate access based on their job functions. Additionally, our review of\nthe reauthorization process for Medicare database systems showed that it was\nineffective in removing all users with inappropriate access, identifying potentially\ninappropriate access, and did not include contractors with access privileges. Our\nreviews revealed problems in the following areas:\n\n                                                             Number of Users        Number of Users\n                                                                 MOLI              MEDCOR/MEDREF\nInappropriate Access Based on Job Function                         1                      4\nReauthorization Response Not Addressed by BIS                        5                       2\nReauthorization Response Partially Addressed by BIS 6                                       11\nReauthorization Did Not Consider Contractor                          8                       3\nOther Questionable Access                                                                   22\n\n\nWe previously reported problems with the RRB\xe2\x80\x99s reauthorization process and made a\nrecommendation for BIS to implement a quality assurance program to ensure timeliness\nand effectiveness. 7 That recommendation is pending corrective action. We were\nadvised by the Chief Security Officer that an attempt was made to perform a quality\nassurance assessment of the reauthorization process included in our review, and that\nhe was unable to complete that assessment and attest to the user access due to\ndocumentation problems he encountered during his review. He also advised that he did\nnot keep records of his quality assurance attempt, but stated that he made a\nrecommendation for improved retention of access authorizations to facilitate future\nassessments.\n\nExcessive rights and privileges to applications and ineffective reauthorization of an\nindividual\'s rights and privileges weaken the overall information security program. As a\nresult, management cannot ensure that their information systems are protected from\nintentional or unintentional modification.\n\n\n6\n  Actions taken by BIS pursuant to these reauthorization responses resulted in only the deletion of the\ninitial level of MEDCOR access, and not the users\xe2\x80\x99 higher level of access. In effect, the higher level of\naccess is not operational, but represents old, outdated information that clutters the ACF2 security system.\n7\n  Review of Mainframe Access Controls at the Application Level RRB-Developed Applications Controlled\nby ACF2 and IDMS, OIG Report No. 04-08, September 7, 2004, Recommendation 1.\n\n\n                                                    6\n\x0cRecommendations\n\nWe recommend that the Bureau of Information Services:\n\n    3. remove the old, outdated information identified in our review; and\n\n    4. ensure contractor access is reauthorized annually.\n\nWe recommend that the Office of Programs:\n\n    5. review the inappropriate and questionable accesses identified in our review and\n       initiate access modification requests, based on that review.\n\nManagement\'s Responses\n\nThe Bureau of Information Services agrees with the recommendations and advises that\nthe data will be modified, and contractor access will be reauthorized annually as part of\nthe regularly scheduled reauthorization process.\n\nThe Office of Programs agrees with the recommendation and advised that they have\ntaken corrective action.\n\n\nAccountability over ACF2 Audit Logs Needs Improvement\n\nThe RRB has not enforced proper segregation of duties over, or maintained adequate\nretention of ACF2 audit log reviews.\n\nGAO\'s Standards for Internal Control in the Federal Government require key duties and\nresponsibilities to be divided or segregated among different people, including the\nresponsibilities for processing, recording, and reviewing transactions. It states, "[n]o\none individual should control all key aspects of a transaction or event." These key\naspects would include the production of ACF2 audit logs of system administrator\nactions, and their subsequent review.\n\nThe RRB has defined auditable events as "failed user authentication attempts, changes\nto users\xe2\x80\x99 systems security information, and organization- and application-specific\nsystems security-relevant events" such as system administrator actions. 8 ACF2\nprovides the means to produce administrative reports, including audit logs of\nadministrator activities, electronically or in hard-copy paper format. Special privileges\nheld by the system administrator allow for the production of these reports. ACF2 also\nallows a user with the "AUDIT" special privilege to produce these reports. Currently, the\nRRB\xe2\x80\x99s ACF2 system administrator produces the reports in hard-copy paper format, and\nhand delivers the audit logs to the responsible manager for review. The RRB has\n\n8\n RRB Information Systems Security Policy, Standards and Guidelines Handbook, Chapter 11 (June\n2007).\n\n\n                                                7\n\x0cadvised us that the various reports cannot be separated into separate print jobs, and the\nresponsible manager has not been granted the "AUDIT" special privilege in order to\nproduce the audit logs themselves.\n\nIn addition, the RRB has not specified a specific retention period for audit logs other\nthan that which is needed to support after-the-fact investigations. Rather, they have\ndesignated a three-year retention period for the source data from which the audit logs\nare produced. However, due to a change in tape processing specifications for the\nretention of source data, the RRB did not have a full three years of data available that\ncould be used for the recreation of audit logs. 9 We were told that the responsible\nmanager retains the hard-copy ACF2 audit logs until his two designated binders are full,\nand then he purges the logs on a first-in first-out basis, regardless of the log\xe2\x80\x99s age.\n\nAs a result, the audit log of administrator actions that is produced for review is\nvulnerable to mishandling through loss or unauthorized alteration, and management\ncannot ensure their control objectives will be achieved.\n\nRecommendations\n\nWe recommend that the Bureau of Information Services:\n\n    6. provide the responsible manager with the "AUDIT" special privilege so he can\n       electronically produce and review the audit logs of system administrator\n       activities; and\n\n    7. establish a retention period for the audit logs of administrator actions, and\n       maintain the electronically produced audit logs in accordance with that retention\n       period.\n\nManagement\'s Response\n\nThe Bureau of Information Services agrees with the recommendations and advises that\nthe responsible manager will be provided the "AUDIT" special privilege as part of the\nconversion to RACF, and that electronically produced audit logs of administrator actions\nwill be maintained for three years by the Infrastructure Services Center.\n\n\n\n\n9\n The RRB has modified their tape processing specifications from retaining a year\'s worth of data\nseparately on tapes for 3 years, to retaining a month\'s worth of data separately on tapes for 36 months.\nAt the time of our review, the RRB had 19 monthly tapes and no yearly tapes.\n\n\n                                                    8\n\x0cAudit Log Content Needs Expansion\n\nThe content of the ACF2 audit logs of administrative actions is not detailed enough to\nallow meaningful review.\n\nNIST SP 800-53 requires information systems to produce "audit records that contain\nsufficient information to establish what events occurred, the sources of the events, and\nthe outcomes of the events." 10 Audit log reports are useful in ensuring that the system\nor resources have not been harmed by hackers, insiders, or technical problems. As\npreviously discussed, the RRB has defined specific auditable events for security-related\ndata and has implemented procedures for the review of those events.\n\nPreviously, we recommended that the RRB begin reviewing logs of administrator\nactions. 11 However, management\'s corrective action to address this recommendation is\nnot sufficient to meet NIST requirements because the content of the audit records is not\nsufficient to allow meaningful analysis. We found that two of the three audit logs\nproduced for management\'s review contain only summary data of system administrator\nactions. 12 This summary data only states that an action took place, not the actual\nsetting that was changed. A "before and after" image of the modified record or access\nrule is available in a detailed report, which is not currently being produced.\n\nAs a result, the RRB systems are vulnerable to misuse or abuse without early detection\nand management cannot ensure their control objectives will be achieved.\n\nRecommendation\n\nWe recommend that the Bureau of Information Services:\n\n     8. produce the logs of system administrator activities using the detailed format for\n        review by the responsible manager.\n\nManagement\'s Response\n\nThe Bureau of Information Services agrees with the recommendation and advises that\ndetailed format logs will be produced for review by the responsible manager.\n\n\n\n\n10\n   Recommended Security controls for Federal Information Systems, NIST SP 800-53, Appendix F,\nSecurity Control AU-3 Content of Audit Records (December 2007).\n11\n   Fiscal Year 2004 Evaluation of Information Security at the Railroad Retirement Board, OIG Report\nNo. 04-11, September 30, 2004, Recommendation 7.\n12\n   The two ACF2 audit logs that are produced in summary format are the Information Storage Update Log\nand the Rule Modification Log.\n\n\n                                                  9\n\x0cAudit Log of Security Violations is Misleading\n\nThe RRB\xe2\x80\x99s audit log of security violations is misleading because it produces many false\npositive occurrences of unsuccessful user attempts to access the Medicare component\napplications.\n\nNIST SP 800-53 requires information systems to produce "audit records that contain\nsufficient information to establish what events occurred, the sources of the events, and\nthe outcomes of the events." 13 Audit trails, or logs, maintain a record of system or user\nactivity and can assist in detecting security violations, performance problems, and flaws\nin applications.\n\nThe RRB\xe2\x80\x99s ACF2 systems administrator performs daily on-line reviews of the\nunsuccessful user attempts. However, the report of these security violations includes\nmany false positive occurrences of unsuccessful user attempts. BIS management has\nadvised this is because of the manner in which user access attempts are recognized by\nthe Medicare application program code. We were advised that when an authorized user\naccesses MEDCOR, the programming code attempts to log the user into all possible\nlevels of MEDCOR access, regardless of what level of access the user has been\ngranted and tried to use. These occurrences are known as false positive security\nviolations, because it appears a violation occurred, when one did not.\n\nThe RRB\xe2\x80\x99s ACF2 systems administrator stated that several of the RRB\xe2\x80\x99s systems\nproduce similar false positive security violations. As a result, the review of unsuccessful\nuser attempts is greatly hampered, and ultimately ineffective in ensuring RRB systems\nare not misused or abused without early detection. The RRB is currently in the process\nof modernizing their legacy systems. This IT Capital Plan Element is to be performed\nover the next 10 years with individual systems modernized based on a "high value/high\nrisk" assessment and is to include improved accuracy and security of the systems and\ntheir transactions. The modernization of the RRB\'s Medicare major application is\ncurrently underway. This effort provides an opportunity to introduce programming\nchanges that will eliminate the false positive security violations discussed above.\n\nRecommendation\n\nWe recommend that the Office of Programs:\n\n     9. request analysis and programming revisions of the Medicare major application to\n        ensure that only true security violations will be identified and reported.\n\nManagement\'s Response\n\nThe Office of Programs agrees with the recommendation and will submit a request for\nanalysis and programming.\n\n13\n  Recommended Security controls for Federal Information Systems, NIST SP 800-53, Appendix F,\nSecurity Control AU-3 Content of Audit Records (December 2007).\n\n\n                                               10\n\x0c                                                                     Appendix I\n                                                                                        FORM G-1151 (1-92)\n                  UNI\'[,l<~D STA\'I\'l<:S GOVEHNM";N\'l\'\n                                                                   RAILROAD RETIHEMf;N\'I\' HOARD\n                  MEMORANDUM\n\n\n\n\n                                                               September 28, 2009\n\nTO\t           Letty B. Jay,\n              Assistant Inspector General for Audit\n\nFROM\t         Terri S. Morgan,                "\';/. dll!~\n              Chief Information Officer      {;(IUA /II! ~ II\nSUB..IECT:\t Draft Report - Audit of the RRB\'s Medicare Major Application System\n\n\nThank you for the opportunity to review and respond to the subject draft report. The\nfollowing are the responses to the recommendations included in the report that were\naddressed to the Bureau of Information Services.\n\nRecommendation #1\nWe recommend that the Bureau of Information Services establish a standard for the use\nof wildcard designators when preparing dataset access rules.\n\nResponse\nBIS disagrees with the recommendation. The RRB dataset logical access control is\nbeing converted from the CA-ACF2 program to the IBM-RACF product for securing\ncomputer data. Although RACF will change the control strategy from that of focusing on\nan individual\'s data access to that of group access, the use of wildcard designators\nwithin the RACF environment will be similar to its use within CA-ACF2. Wildcard\ndesignators are used whenever they facilitate the administration of resources as\nprescribed by the instructions of the data owners.\n\nRecommendation #2\nWe recommend that the Bureau of Information Services evaluate current dataset\naccess rules and enforce the principle of least privilege by restricting overly broad\nwildcard access use.\n\nResponse\nBIS disagrees with this recommendation. Dataset access is allocated upon request as\nauthorized by system owners. BIS administers data access as instructed by system\nowners and is not responsible for determining least privilege or defining the least\namount of privileges needed by users to perform their business functions.\n\nRecommendation #3\nWe recommend that the Bureau of Information Services remove the old, outdated\ninformation in our review.\n\n\n\n\n                                                 11\n\x0c                                                                      Appendix I\n\n\n\nResponse\nBIS agrees with this recommendation. The Systems Assurance Group is responsible\nfor modification of this data, which will be changed by September 30, 2009.\n\nRecommendation #4\nWe recommend that the Bureau of Information Services ensure contractor access is\nreauthorized annually.\n\nResponse\nBIS agrees with this recommendation and the Systems Assurance Group will ensure\nthat contractor access is reauthorized annually as part of the regularly scheduled re\xc2\xad\nauthorization process. The next round of re-authorizations is scheduled to occur in the\n1st calendar quarter of 2010.\n\nRecommendation #6\nWe recommend that the Bureau of Information Services provide the responsible\nmanager with the "AUDIT" special privilege so he can electronically produce and review\nthe audit logs of system administrator activities.\n\nResponse\nBIS agrees with this recommendation and will make this change to provide the Chief of\nOperations Services and Systems Assurance in Infrastructure Services Center with the\n"AUDIT" special privilege as part of the conversion to the IBM\xc2\xb7RACF system that is\nscheduled for implementation on or before December 1, 2009.\n\nRecommendation #7\nWe recommend that the Bureau of Information Services establish a retention period for\nthe audit logs of administrator actions, and maintain the electronically produced audit\nlogs in accordance with that retention period.\n\nResponse\nBIS agrees with the recommendation. A three year retention period for the source data\nfrom which the audit logs are produced is already in place. On or before December 1,\n2009, after the logical access control is changed to the IBM RACF utility, electronically\nproduced audit logs of administrator actions will be maintained for three years by\nInfrastructure Services Center.\n\nRecommendation #8\nWe recommend that the Bureau of Information Services produce the logs of system\nadministrator activities using the detailed format for review by the responsible manager.\n\nResponse\nBIS agrees with this recommendation. On or before December 1,2009, after the logical\naccess control is changed to the IBM RACF utility, detailed format logs will be produced\nfor review by the Chief of Operations Services and Systems Assurance\nin Infrastructure Services Center.\n\n\n\n\n                                           12\n\x0c                                                                                  Appendix II\n\n                                                                                            FORM    G-115f (1-92)\n\n                                                                          RAILROAD   RETIREMENT       BOARD\n                      MEMORANDUM\n                                                                             SEP 11 2009\n\n                 Letty Benjamin Jay\n                 Assistant Inspector General    udit\n\n\n                 Catherine A. Leyse\n                 Director of Assess\n                                        ~d\n                                       nt and Training\n                                                            ~~     /--\n\n                 Dorothy Isherwood ~Ju.Ut~\n                 Director of Programs  \'-\n\n\n\n                 Draft Report - Audit of the Railroad Retirement Board\'s Medicare\n                 Major Application System\n\n\n\n\nOverall           We have reviewed the draft report and appreciate the fact that the review\ncomments          determined that identification and authentication, and system and information\n                  integrity controls were in place, operated as intended, and met the\n                  requirements established by FISMA.\n\n                  We concur with the recommendations        and will take action on those directed\n                  to the Office of Programs as follows.\n\n\nRecommendation    The OIG recommends that the Office of Programs:\n5\n                  Review the inappropriate and questionable access identified in our review,\n                  and initiate access modification requests, based on that review.\n\n\n\nOP Response        We agree. In fact we have already taken corrective action. Documentation of\n                   our corrective action was provided as a separate submission on September 3,\n                   2009. We believe that this recommendation can be considered implemented.\n\n\n\nRecommendation    The OIG recommends that the Office of Programs\n9\n                  Request analysis and programming revisions of the Medicare major\n                  application to ensure that only true security violations will be identified and\n                  reported.\n\n\n\n\n                                                       13\n\x0c                                                                               Appendix II\n\n\n\n\nOPResponse\t     We concur. A request for analysis and programming will be submitted by\n                December 31, 2009. At that point we expect that this audit recommendation\n                would be considered implemented.\n\n                Because the recommendation does not involve a significant finding or\n                vulnerability, we do not expect the Bureau of Information Services to allocate\n                resources to the request until the issue can be investigated as part of system\n                modernization efforts.\n\n\n\ncc:   Chief Information Officer\n      Director of Policy and Systems\n\n\n\n\n                                              14\n\x0c'